Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump nodemailer from 8.0.4 to 8.0.5

Open
Number: #20541
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 4
Created: April 08, 2026 at 08:43 PM UTC
(13 days ago)
Updated: April 08, 2026 at 08:48 PM UTC
(13 days ago)
Labels:
dependencies User submitted javascript
Description:

Bumps nodemailer from 8.0.4 to 8.0.5.

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

  • decode SMTP server responses as UTF-8 at line boundary (95876b1)
  • sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)
Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

  • decode SMTP server responses as UTF-8 at line boundary (95876b1)
  • sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)
Commits
  • 202cfb3 chore(master): release 8.0.5 (#1809)
  • b634abf docs: add CLAUDE.md with project conventions and release process
  • 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
  • 0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
  • 08e59e6 chore: update dev dependencies
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

  • Chores
    • Updated email service dependencies to the latest patch version for improved stability and performance.
Package Dependencies
Package:
nodemailer
Ecosystem:
npm
Version Change:
8.0.4 → 8.0.5
Update Type:
Patch
Security Advisories
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
GHSA-vvjj-xcjg-gr5g MODERATE
### Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directl...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15141270
UUID: 4227530261
Node ID: PR_kwDODgj3cc7Q7obH
Host: GitHub
Repository: PipedreamHQ/pipedream